80752f30ed3b42dbb004700e1ee670a50eebf2f9ad477fac333eea20923a6992

Analysis

max time kernel
103s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2022, 20:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

80752f30ed3b42dbb004700e1ee670a50eebf2f9ad477fac333eea20923a6992.exe
Size

178KB
MD5

70d2c5786b535e8f8487236db8526160
SHA1

03d13a48f963945378c63bc38865f23617ed6ef6
SHA256

80752f30ed3b42dbb004700e1ee670a50eebf2f9ad477fac333eea20923a6992
SHA512

17f68436e0c800ef6c38a98a5d47959aba7285ed45f5d568f79de5c2e767f2ee845bba852a8f064770df4375ef34b9946ba95749e8f148e395d61a022c8e4cf1
SSDEEP

3072:akAwOzhjdRmSZiAqFbrnp+KsYGnggRqM86sUd8cKgev3Tno3LFkZWmv:+w8h/7PCkKsYGggB8mFrC3Lo3Ix

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3912	80752f30ed3b42dbb004700e1ee670a50eebf2f9ad477fac333eea20923a6992mgr.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2256-138-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/2256-141-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/3912-144-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/3912-145-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/2256-143-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/3912-148-0x0000000000400000-0x0000000000420000-memory.dmp	upx

Modifies Internet Explorer settings 1 TTPs 43 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "576368249"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "371525319"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "731211833"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{4D051913-42BA-11ED-89AC-5203DB9D3E0F} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "576368249"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "731211833"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30987975"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{4CFDF333-42BA-11ED-89AC-5203DB9D3E0F} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30987975"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30987975"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30987975"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3912	80752f30ed3b42dbb004700e1ee670a50eebf2f9ad477fac333eea20923a6992mgr.exe
3912	80752f30ed3b42dbb004700e1ee670a50eebf2f9ad477fac333eea20923a6992mgr.exe
3912	80752f30ed3b42dbb004700e1ee670a50eebf2f9ad477fac333eea20923a6992mgr.exe
3912	80752f30ed3b42dbb004700e1ee670a50eebf2f9ad477fac333eea20923a6992mgr.exe
2256	80752f30ed3b42dbb004700e1ee670a50eebf2f9ad477fac333eea20923a6992.exe
2256	80752f30ed3b42dbb004700e1ee670a50eebf2f9ad477fac333eea20923a6992.exe
2256	80752f30ed3b42dbb004700e1ee670a50eebf2f9ad477fac333eea20923a6992.exe
2256	80752f30ed3b42dbb004700e1ee670a50eebf2f9ad477fac333eea20923a6992.exe
3912	80752f30ed3b42dbb004700e1ee670a50eebf2f9ad477fac333eea20923a6992mgr.exe
3912	80752f30ed3b42dbb004700e1ee670a50eebf2f9ad477fac333eea20923a6992mgr.exe
2256	80752f30ed3b42dbb004700e1ee670a50eebf2f9ad477fac333eea20923a6992.exe
2256	80752f30ed3b42dbb004700e1ee670a50eebf2f9ad477fac333eea20923a6992.exe
2256	80752f30ed3b42dbb004700e1ee670a50eebf2f9ad477fac333eea20923a6992.exe
2256	80752f30ed3b42dbb004700e1ee670a50eebf2f9ad477fac333eea20923a6992.exe
3912	80752f30ed3b42dbb004700e1ee670a50eebf2f9ad477fac333eea20923a6992mgr.exe
3912	80752f30ed3b42dbb004700e1ee670a50eebf2f9ad477fac333eea20923a6992mgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4932	iexplore.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3912	80752f30ed3b42dbb004700e1ee670a50eebf2f9ad477fac333eea20923a6992mgr.exe
Token: SeDebugPrivilege	2256	80752f30ed3b42dbb004700e1ee670a50eebf2f9ad477fac333eea20923a6992.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4932	iexplore.exe
4828	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
4828	iexplore.exe
4828	iexplore.exe
4932	iexplore.exe
4932	iexplore.exe
4552	IEXPLORE.EXE
4552	IEXPLORE.EXE
1028	IEXPLORE.EXE
1028	IEXPLORE.EXE
1028	IEXPLORE.EXE
1028	IEXPLORE.EXE

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2256	80752f30ed3b42dbb004700e1ee670a50eebf2f9ad477fac333eea20923a6992.exe
3912	80752f30ed3b42dbb004700e1ee670a50eebf2f9ad477fac333eea20923a6992mgr.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 3912	2256	80752f30ed3b42dbb004700e1ee670a50eebf2f9ad477fac333eea20923a6992.exe	83
PID 2256 wrote to memory of 3912	2256	80752f30ed3b42dbb004700e1ee670a50eebf2f9ad477fac333eea20923a6992.exe	83
PID 2256 wrote to memory of 3912	2256	80752f30ed3b42dbb004700e1ee670a50eebf2f9ad477fac333eea20923a6992.exe	83
PID 3912 wrote to memory of 4828	3912	80752f30ed3b42dbb004700e1ee670a50eebf2f9ad477fac333eea20923a6992mgr.exe	84
PID 3912 wrote to memory of 4828	3912	80752f30ed3b42dbb004700e1ee670a50eebf2f9ad477fac333eea20923a6992mgr.exe	84
PID 2256 wrote to memory of 4932	2256	80752f30ed3b42dbb004700e1ee670a50eebf2f9ad477fac333eea20923a6992.exe	85
PID 2256 wrote to memory of 4932	2256	80752f30ed3b42dbb004700e1ee670a50eebf2f9ad477fac333eea20923a6992.exe	85
PID 4932 wrote to memory of 1028	4932	iexplore.exe	86
PID 4828 wrote to memory of 4552	4828	iexplore.exe	87
PID 4828 wrote to memory of 4552	4828	iexplore.exe	87
PID 4932 wrote to memory of 1028	4932	iexplore.exe	86
PID 4828 wrote to memory of 4552	4828	iexplore.exe	87
PID 4932 wrote to memory of 1028	4932	iexplore.exe	86

C:\Users\Admin\AppData\Local\Temp\80752f30ed3b42dbb004700e1ee670a50eebf2f9ad477fac333eea20923a6992.exe
"C:\Users\Admin\AppData\Local\Temp\80752f30ed3b42dbb004700e1ee670a50eebf2f9ad477fac333eea20923a6992.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Users\Admin\AppData\Local\Temp\80752f30ed3b42dbb004700e1ee670a50eebf2f9ad477fac333eea20923a6992mgr.exe
  C:\Users\Admin\AppData\Local\Temp\80752f30ed3b42dbb004700e1ee670a50eebf2f9ad477fac333eea20923a6992mgr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:3912
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4828
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4828 CREDAT:17410 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:4552
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4932
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4932 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
340B

MD5
9309ab85580c3f90311d2b4b39ff3001

SHA1
9b3a99262d5c1dab00d5deb1e341a04c600c7688

SHA256
54d1fbb49257489e991e43c93a83d159320b3ac34c7d7b42a84bbaa3a5e98dbb

SHA512
a709f897fbfa0beeb4516dbc41aa018d78acaaedd75a4673017f6dc8618a630104b36194de6ba4b8f82b52878bc7560ae459b3bd7f07b48bf88f5f36899cf6d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4CFDF333-42BA-11ED-89AC-5203DB9D3E0F}.dat

Filesize
3KB

MD5
2a58d15e626318f616d750ced4f957d3

SHA1
ac95254cdd78d645f548a08e8d0e4917bc6efe63

SHA256
dc01315f986e97db5c41e2e57c7396b678c411baa836253cab8f36e7ec3dff34

SHA512
95cb3072fb8f0999d63e7b2d91ac47e0d2e87fa84446bdf289c9852d8597791b98af27dfb3029e18c549a58950a05b54f55dbd0d6b2fdab3e92ef9d894060c31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4D051913-42BA-11ED-89AC-5203DB9D3E0F}.dat

Filesize
5KB

MD5
8ca40c370ade66337c93ed6798bcac10

SHA1
8c16a008a836d8d7dbb8d3cfb74cc48b3ee82e14

SHA256
a75cc6fb1a04bb4122b03d23f9c1ac81b477bed2b0607294d3f1c00ce29de392

SHA512
bdc8f54bd601de310fff74f89a35f4ddcc17526fe958afa4666838edcdd0920647970f1f308b22b47187072e321a08794bab1a1b39232598f01f4fe9cbb10f34

Download Submit
C:\Users\Admin\AppData\Local\Temp\80752f30ed3b42dbb004700e1ee670a50eebf2f9ad477fac333eea20923a6992mgr.exe

Filesize
88KB

MD5
a61ea5f2325332c52bff5bce3d161336

SHA1
3a883b8241f5f2efaa76367240db800d78a0209c

SHA256
e6f8a54ed663061527ab46b8e8efc2a0f3c99ae77829c0be0e50eb5b1b48415b

SHA512
fae031e0e7dcd719240bfe94a3f78d1aac73060324d5b65e0cbe564ce6d6781aaa5e930f0729293e3b502b7d07f53f3a72fb2048d44d93d36851aab8330479e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\80752f30ed3b42dbb004700e1ee670a50eebf2f9ad477fac333eea20923a6992mgr.exe

Filesize
88KB

MD5
a61ea5f2325332c52bff5bce3d161336

SHA1
3a883b8241f5f2efaa76367240db800d78a0209c

SHA256
e6f8a54ed663061527ab46b8e8efc2a0f3c99ae77829c0be0e50eb5b1b48415b

SHA512
fae031e0e7dcd719240bfe94a3f78d1aac73060324d5b65e0cbe564ce6d6781aaa5e930f0729293e3b502b7d07f53f3a72fb2048d44d93d36851aab8330479e5

Download Submit
memory/2256-138-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2256-141-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2256-143-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3912-144-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3912-145-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3912-148-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download